Advertisement

The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?)

  • Hugo Krawczyk
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2139)

Abstract

We study the question of how to generically compose symmetric encryption and authentication when building “secure channels” for the protection of communications over insecure networks. We show that any secure channels protocol designed to work with any combination of secure encryption (against chosen plaintext attacks) and secure MAC must use the encrypt-then-authenticate method. We demonstrate this by showing that the other common methods of composing encryption and authentication, including the authenticate-then-encrypt method used in SSL, are not generically secure. We show an example of an encryption function that provides (Shannon’s) perfect secrecy but when combined with any MAC function under the authenticate-then-encrypt method yields a totally insecure protocol (for example, finding passwords or credit card numbers transmitted under the protection of such protocol becomes an easy task for an active attacker). The same applies to the encrypt-and-authenticate method used in SSH.

On the positive side we show that the authenticate-then-encrypt method is secure if the encryption method in use is either CBC mode (with an underlying secure block cipher) or a stream cipher (that xor the data with a random or pseudorandom pad). Thus, while we show the generic security of SSL to be broken, the current practical implementations of the protocol that use the above modes of encryption are safe.

Keywords

Encryption Scheme Stream Cipher Secure Channel Symmetric Encryption Encryption Function 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    J. An, M. Bellare, “Does encryption with redundancy provide authenticity?”, Advances in Cryptology-EUROCRYPT 2001 Proceedings, Lecture Notes in Computer Science, Vol. 2045, Springer-Verlag, B. Pfitzmann, ed, 2001.CrossRefGoogle Scholar
  2. 2.
    M. Bellare, A. Desai, E. Jokipii, and P. Rogaway, “A concrete security treatment of symmetric encryption: Analysis of the DES modes of operation“, Proceedings of the 38th Symposium on Foundations of Computer Science, IEEE, 1997.Google Scholar
  3. 3.
    M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway, “Relations Among Notions of Security for Public-Key Encryption Schemes”, Advances in Cryptology-CRYPTO’98 Proceedings, Lecture Notes in Computer Science Vol. 1462, H. Krawczyk, ed., Springer-Verlag, 1998, pp. 26–45.CrossRefGoogle Scholar
  4. 4.
    M. Bellare, J. Kilian and P. Rogaway, “ The security of cipher block chaining”, Advances in Cryptology-CRYPTO’94 Proceedings, Lecture Notes in Computer Science Vol. 839, Y. Desmedt, ed., Springer-Verlag, 1994. pp. 341–358.Google Scholar
  5. 5.
    M. Bellare and C. Namprempre, “Authenticated encryption: Relations among notions and analysis of the generic composition paradigm”, Advances in Cryptology-ASIACRYPT’00 Proceedings, Lecture Notes in Computer Science Vol. 1976, T. Okamoto, ed., Springer-Verlag, 2000.Google Scholar
  6. 6.
    Black, J., Halevi, S., Krawczyk, H., Krovetz, T., and Rogaway, P., “UMAC: Fast and Secure Message Authentication”, Advances in Cryptology-CRYPTO’99 Proceedings, Lecture Notes in Computer Science, Vol. 1666, Springer-Verlag, M. Wiener, ed, 1999, pp. 216–233.Google Scholar
  7. 7.
    Bleichenbacher, D., “Chosen Ciphertext Attacks against Protocols Based on RSA Encryption Standard PKCS #1”, Advances in Cryptology-CRYPTO’98 Proceedings, Lecture Notes in Computer Science Vol. 1462, H. Krawczyk, ed., Springer-Verlag, 1998, pp. 1–12.CrossRefGoogle Scholar
  8. 8.
    Canetti, R., and Krawczyk, H., “Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels”, Advances in Cryptology-EUROCRYPT 2001 Proceedings, Lecture Notes in Computer Science, Vol. 2045, Springer-Verlag, B. Pfitzmann, ed, 2001, pp. 453–474. Full version in: Cryptology ePrint Archive (http://eprint.iacr.org/), Report 2001/040.CrossRefGoogle Scholar
  9. 9.
    T. Dierks and C. Allen, “The TLS Protocol-Version 1”, Request for Comments 2246, 1999.Google Scholar
  10. 10.
    D. Dolev, C. Dwork, and M. Naor. “Non-malleable cryptography”. Proceedings of the 23rd Annual ACM Symposium on Theory of Computing, pages 542–552, 1991.Google Scholar
  11. 11.
    A. Frier, P. Karlton, and P. Kocher, “The SSL 3.0 Protocol”, Netscape Communications Corp., Nov 18, 1996. http://home.netscape.com/eng/ssl3/ssl-toc.html
  12. 12.
    O. Goldreich, “Foundations of Cryptography (Fragments of a book)”, Weizmann Inst. of Science, 1995. http://www.wisdom.weizmann.ac.il/oded/frag.html
  13. 13.
    S. Goldwasser, and S. Micali. “Probabilistic Encryption”, Journal of Computer and System Sciences, Vol. 28, 1984, pp. 270–299.zbMATHCrossRefMathSciNetGoogle Scholar
  14. 14.
    Halevi, S., and Krawczyk H., “Public-Key Cryptography and Password Protocols”, ACM Transactions on Information and System Security, Vol. 2, No. 3, August 1999, pp. 230–268.CrossRefGoogle Scholar
  15. 15.
    C. Jutla, “Encryption Modes with Almost Free Message Integrity”, Advances in Cryptology-EUROCRYPT 2001 Proceedings, Lecture Notes in Computer Science, Vol. 2045, Springer-Verlag, B. Pfitzmann, ed, 2001.CrossRefGoogle Scholar
  16. 16.
    J. Katz and M. Yung, “Unforgeable encryption and adaptively secure modes of operations”, Fast Software Encryption’00, 2000.Google Scholar
  17. 17.
    J. Katz and M. Yung, “Complete characterization of security notions for probabilistic private-key encryption”, Proceedings of the 32nd Annual ACM Symposium on Theory of Computing, 2000.Google Scholar
  18. 18.
    S. Kent and R. Atkinson, “Security Architecture for the Internet Protocol”, Request for Comments 2401, Nov. 1998.Google Scholar
  19. 19.
    S. Kent and R. Atkinson, “IP Encapsulating Security Payload (ESP)”, Request for Comments 2406, Nov. 1998.Google Scholar
  20. 20.
    H. Krawczyk, “LFSR-based Hashing and Authentication”, Proceedings of CRYPTO’ 94, Lecture Notes in Computer Science, vol. 839, Y. Desmedt, ed., Springer-Verlag, 1994, pp. 129–139.Google Scholar
  21. 21.
    H. Krawczyk, “The order of encryption and authentication for protecting communications (Or: how secure is SSL?)”. Full version: http://eprint.iacr.org/2001.
  22. 22.
    M. Luby and C. Rackoff, “How to construct pseudorandom permutations from pseudorandom functions”, SIAM J. on Computing, Vol 17, Number 2, April 1988, pp. 373–386.zbMATHCrossRefMathSciNetGoogle Scholar
  23. 23.
    M. Naor and M. Yung, “Public key cryptosystems provably secure against chosen ciphertext attacks”. Proceedings of the 22nd Annual ACM Symposium on Theory of Computing, 1990.Google Scholar
  24. 24.
    C. Rackoff and D. Simon, “Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack”, Advances in Cryptology-CRYPTO’91 Proceedings, Lecture Notes in Computer Science Vol. 576, J. Feigenbaum ed, Springer-Verlag.Google Scholar
  25. 25.
    P. Rogaway. “Bucket Hashing and its application to Fast Message Authentication”, Proceedings of CRYPTO’ 95, Lecture Notes in Computer Science, vol. 963, D. Coppersmith, ed., Springer-Verlag, 1995, pp. 15–25.Google Scholar
  26. 26.
    P. Rogaway, M. Bellare, J. Black, and T. Krovetz, “OCB Mode”, Cryptology ePrint Archive, Report 2001/026.Google Scholar
  27. 27.
    T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen, “SSH Transport Layer Protocol”, January 2001, draft-ietf-secsh-transport-09.txt.

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Hugo Krawczyk
    • 1
  1. 1.EE DepartmentTechnionHaifaIsrael

Personalised recommendations